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-Abstract- 

Strongly unforgeable signature schemes provide a more stringent security guarantee than the 
standard existential unforgeability. It requires that not only forging a signature on a new message 
is hard, it is infeasible as well to produce a new signature on a message for which the adversary 
has seen valid signatures before. Strongly imforgeable signatures are useful both in practice and 
as a building block in many cryptographic constructions. 

This work investigates a generic transformation that compiles any existential-unforgeable 
scheme into a strongly unforgeable one, which was proposed by Teranishi et al. [30] and was proven 
in the classical random-oracle model. Our main contribution is showing that the transformation 
also works against quantum adversaries in the quantum random-oracle model. We develop proof 
techniques such as adaptively programming a quantum random-oracle in a new setting, which 
could be of independent interest. Applying the transformation to an existential-unforgeable 
signature scheme due to Cash et al. US], which can be shown to be quantum-secure assuming 
certain lattice problems are hard for quantum computers, we get an efficient quantum-secure 
strongly unforgeable signature scheme in the quantum random-oracle model. 
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[Y] Introduction 

Digital signature is a fundamental primitive in modern cryptography and has numerous 
applications. In a signature scheme, a signer uses his/her secret key to generate a signature 
on a message. Anyone who knows the corresponding public key can verify the integrity of the 
message and that it comes from the genuine signer. A standard security notion for digital 
signatures is called existential-unforgeable under adaptive chosen-message-attacks (eu-acma 
in short). Basically it means that an adversary, without knowing the secret key of a user, 
cannot forge a valid signature on a new message. This should hold even if the adversary 
has seen a few signatures generated by the honest user on messages adaptively chosen by 
the adversary. Another important security notion, stronger than eu-acma, is called strongly 
existential-unforgeable (su-acma). Here, in addition to eu-acma, it should be infeasible to 
forge a new signature on a previously signed message. Aside from applications in some 
practical scenarios m, su-acma signatures turn out to be a very powerful tool in other 
cryptographic constructions. For instance they are used in transforming encryption schemes 
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EU to SU in QRO 


that are secure under chosen-plain-text attacks into secure schemes under chosen-ciphertext- 
attacks mi; and in constructing identity-based blind signatures m and group signature 
schemes Ei. 

Strongly unforgeable signature schemes can be obtained from existential-unforgeable ones 
via generic transformations naiiHiEni. The transformation in m ( referred to as TOO 
hereafter) is particularly interesting because it only needs a mild computational assumption 
and the overhead it causes to the efficiency is small. This work studies this transformation in 
the quantum setting, where adversaries have the power of processing quantum information. 
We want to ask: does TOO transformation still hold in the presence of quantum adversaries, 
and furthermore can we obtain quantum-secure su-acma signatures systematically? 

There is no quick answer to this question. In general a classically secure cryptographic 
construction can completely fall apart against quantum adversaries for at least two reasons. 
First of all, quantum computers can solve some problems efficiently which are otherwise 
believed hard classically. This breaks the computational assumption in many constructions. 
For example, many existing eu-acma signature schemes, the starting point of the trans¬ 
formation, are based on factoring or discrete logarithm. The TOO transformation itself 
also uses the discrete logarithm problem. They are immediately broken by Shor’s quantum 
algorithms |27j . Naturally we may want to switch to quantum-safe assumptions. For ex¬ 
ample, we assume certain lattice problems are hard even against quantum algorithms and 
then construct crypto-systems based on them ESlll]. However, this does not fix everything 
immediately due to another reason, which is more subtle. Security of a construction is es¬ 
tablished by a security reduction, which is a proof by contradiction showing that if a scheme 
is not secure, then one can break a computational assumption. Unfortunately, as pointed 
out by a line of works (e.g., 1251 na ED US]), classical security reductions may not hold in 
the presence of quantum adversaries due to technical difficulties such as quantum rewinding. 

There is an additional complication, which turns out to be the main difficulty towards 
making the TOO transformation go through in the quantum setting. Classically, TOO is 
proven in the random-oracle model (RO), where a hash function is treated as a truly random 
function and all users evaluate the hash function by querying the random function. However 
once an adversary becomes quantum, we should naturally allow the queries to be in quantum 
superposition. This is formalized as the quantum random-oracle model (QRO) [7]. The bad 
news is that many classical tricks in RO become difficult to apply in QRO, if not entirely 
impossible. For starters, classically it is trivial to answer random-oracle queries on-the-fly by 
generating fresh random value for new queries while maintaining a table to keep consistency. 
It is not obvious that some similar trick can handle quantum superposition queries. There 
have been a host of works in recent years developing proof techniques in QRO [221 [Ml IMj) 
but many classical techniques are still missing their counterparts in QRO. 

Our Contributions. Our main result is showing that the TOO transformation still works 
against quantum adversaries in the quantum random-oracle model under reasonable com¬ 
putational assumptions. Specifically, we first make a simple observation that classically 
the TOO transformation actually holds using any (generic) chameleon hash function, rather 
than the specific instantiation by the discrete log problem. As our central contribution, we 
prove that once the chameleon hash function and the eu-acma signature scheme are both 
quantum-safe, then TOO transformation will produce a quantum-safe su-acma signature 
scheme in the quantum random-oracle model. In our proof, we develop a technique that 
allows for adaptively programming a quantum random-oracle in a new setting. We hope 
this technical can find applications and extensions elsewhere. 

Once we have the transformation ready, we demonstrate instantiations of the building 
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blocks to obtain concrete quantum-safe su-acma schemes. Using tools from [^, it is easy to 
verify that the bonsai-tree signature scheme by Cash et al. uni is eu-acma against quantum 
adversaries assuming some lattice problem is quantum-safe[^ In m, a chameleon hash 
function was also proposed based on the same computational assumptions, which is easy to 
check that it is quantum-safe as well. Putting these pieces together, we can get a quantum- 
safe su-acma scheme. 

Overview of Our Proof Techniques in QRO. As we mentioned earlier, many proof 
techniques in classical RO do not immediately go through in the QRO model. Roughly 
speaking, the classical proof for the TOO transformation relies on two features in the classical 
RO model: the history of queries that an adversary makes to the RO can the recorded, 
and at various steps one can assign a fresh random value on an input, since the response 
at an input needs not to be determined before being queried. Both become difficult in 
the quantum setting. Copying quantum superposition queries which are unknown quantum 
states is generally impossible, and apparently a single quantum query of the form ^ \x, y) i—> 
\x^ 0{x) 0 y) would “see” the function values at all inputs. It is hence unclear how to 
change 0(x) later without being caught. 

The first issue turns out to be non-essential. The purpose of keeping the RO queries is 
to make sure some special input x* has not been queried by the adversary. Otherwise x* 
can be used to break some assumption. In the quantum setting, we can just pick one of the 
queries at random and measure it. If the overall amplitude that adversary intends to query 
at X* is high, the probability we recover x* is only reduced by essentially a poly-factor (the 
number of the adversary’s RO queries). 

We then come up with a technique for adaptively programming a QRO in a new setting. 
Namely we want to change the function value at various inputs that the adversary has par¬ 
tial control (e.g., the prefix of these inputs are chosen by the adversary). Intuitively this 
is possible when these inputs still have sufficient uncertainty to the adversary. There exist 
techniques previously when these input strings are information-theoretically undetermined, 
possessing a high min-entropy for example [321 EH- In contrast, in our case these inputs 
are computationally difficult to decide by the adversary. Namely, these inputs remain un¬ 
certain to the adversary unless some computational assumption is broken. We show that 
this is already sufficient freedom for programming the answers on these inputs. Being a 
little more specific, we show that the computational assumption implies indistinguishability 
of two functions which a distinguisher can have quantum access to: one is the all-zero func¬ 
tion, and the other marks a set of strings that could be used to break the computational 
assumption. This may be interpreted as a computational analogue of the Grover search 
lower bound in quantum query complexity. This enables us to program a quantum random- 
oracle adaptively. Basically, the random-oracle embeds one of the preceding functions, and 
programming the random-oracle roughly amounts to switching between the two functions. 
Since the two functions are indistinguishable, any efficient quantum algorithm querying the 
random-oracle cannot notice whether we have re-programmed the quantum random-oracle. 
From a technical point of view, these claims may not sound very surprising. Nonetheless, 
we view them as an interesting conceptual shift, which is similar in spirit to m where the 
authors showed that computational constraints can force measurement on a quantum state 
and cause collapse to particular subspaces. Our techniques also complements existing ones 
that are of information-theoretical flavor. 


^ Actually, we observe a tighter security reduction so that a slightly weaker assumption on the lattice 
problem is sufficient. 
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Related Works. Boneh and Zhandry [H] considered a stronger type of quantum attacks 
on signature schemes where an adversary can query a signing oracle in superposition. They 
proposed general transformations which amplify schemes that are secure against ordinary 
quantum adversaries (i.e., those who only issue classical signing query as we consider in 
this work), to achieve security under attacks with superposition signing queries. In con¬ 
trast, the transformation in our work only considers ordinary quantum adversaries, but 
tries to amplify in terms of the type of forgeries that an adversary can produce. Lyuba- 
shevsky imiia applied the Fiat-Shamir paradigm to construct lattice-based su-acma sig¬ 
natures in the random-oracle model from identification schemes. However whether these 
schemes are quantum-secure is unclear, because proving quantum security of the identifica¬ 
tion schemes faces the difficulty of quantum rewinding. More importantly, there is negative 
evidence that Fiat-Shamir paradigm may not hold in general in the QRO model mm- 
Dagdelen et al. m showed that a variant of Fiat-Shamir works in the QRO model, but only 
for a very special form of identification schemes. In a recent work by Unruh m, a general 
transformation is proposed, which can produce (quantum-safe) strongly-unforgeable signa¬ 
tures in the QRO model from general S-protocols. However the overhead is much larger 
than the Fiat-Shamir transformation, and the resulting signature schemes are less efficient 
than what can be obtained from our work. We remark that there is a generic Merkle-tree 
approach that produces su-acma schemes out of su-acma one-time signature schemes, which 
should still hold against quantum adversaries. Therefore in principle, lattice-based one-time 
signatures, as in |^, would suffice for full-ffedged quantum-safe su-acma schemes. However 
the resulting scheme is usually far less efficient and costly to manage (because it is typically 
stateful). 

2 I Preliminary 

We review necessary definitions and cryptographic tools in this section. 

► Definition 1 (Signature Scheme). A signature scheme is composed of a triplet of prob¬ 
abilistic polynomial-time algorithms (G, S, V), satisfying the following: 

™ G is the key generation algorithm. On running, it produces a pair, (pk,sk). pk is the 
public key, or verification key, while sk is the secret key, or signing key. 

™ S' is the signing algorithm. Upon input of a message M from a message space A4, as 
well as a secret key sk, it produces a signature a on that message. 

™ U is the verification algorithm. It takes in a message M, a signature a, and a public key 
pk, and will output either ‘accept’ or ‘reject’. 

Signature schemes must satisfy the correctness requirement, which is that for any 
{pk,sk) generated by G, and any M G M, if cr S{M,sk) then V{M,a,pk) = ‘accept’. 

A standard security notion for signature schemes is existential unforgeability under 
adaptive chosen message attack (eu-acma). 

► Definition 2 (Existential Unforgeability under Adaptive Chosen Message Attack). Consider 
the following game between a challenger C and a forger A: 

_ C runs G, and send the resulting pk to A. 

H A sends up to q messages Mi, M 2 , ■■■, Mg to C, one at a time. For each message C receives, 
she sends back at = S{Mi, sk) to A. 

H A finally outputs a pair {M*,a*) to C. We call this a valid forgery if M* yf Miii G 
{!,...,(?} and V{M*,a*,pk) = ‘accept’. 
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If, for polynomially bounded q, it is computationally infeasible for A to come up with 
a valid forgery, the scheme is said to be existentially unforgeable under adaptive chosen 
message attack. 

► Definition 3 (Strong Unforgeability under Adaptive Chosen Message Attack). Strong un¬ 

forgeability under Adaptive Chosen Message attack, or su-acma, is defined in the 
same way as eu-acma, except that the pair that A eventually submits must only 

require that yf {Mi^ai) for all f, instead of the requirement that M* yf This 

change means that the forgery A submits may either be a new message, or may be a message 
that C has already signed, but with a new signature. 

Note that by allowing A to submit more kinds of forgeries, if it is still computationally 
infeasible for A to succeed, then we know that this type of forgery also cannot be created, 
making the scheme in a sense stronger. 

Chameleon hash functions. Chameleon hash functions were introduced by Krawczyk 
and Rabin m- We need a slight generalization proposed in m- A family H of chameleon 
hash function is a collection of functions h that takes in a message m from a message space 
Ai and some randomness r from a randomness space TZ, and outputs to a range y, ie, 
h : Ai X TZ ^ y. The randomness space is associated with some efficiently sampleable 
distribution. There are three properties we need for a family of chameleon hash functions: 
H (Chameleon property) We require an algorithm HG that samples a hash function h € T-L 
together with trapdoor information td satisfying that for any m € At and y G y, rt is 
possible to efficiently sample r ^ under the distribution associated with TZ 

such that h{m, r) = y. 

H (Uniformity) For h and r ^ 7?., (fi, h(rn, r)) is uniform over {T-L^y) up to negligible 
statistical distance. 

H (Collision resistance) For a hash function A "H, it is computationally infeasible for an 
adversary to find (m, r), (to', r'), with {m,r) yf (m\A) such that h(m,r) = h(m!,r'). 

Quantum Random-Oracle Model. The random oracle model is a technique used in 
cryptographic proofs. In it. Hash functions are replaced with random oracles. An adversary 
is given access to query this random oracle by providing an input, x, and is returned the 
response, 0{x). These random oracles exist to replace hash functions in our proof. When 
we examine the proof in the context of quantum computers, Boneh et al. have pointed 
out that since superposition queries to hash functions are possible, to truly capture this in 
a model allowing quantum computers, we must allow superposition queries to the random 
oracle. So we will allow superpositions of queries to our random oracle, J2^x\x,y), which 
will be responded to with a superposition of answers, ^x\x,y (B 0{x)). 

A cryptographic scheme is said to be quantum-safe (or quantum-secure) if the security 
conditions still hold once the adversaries become efficient quantum computers. We do not 
go into more precise definitions. See for example m for details. 

I 3 I Getting SU from EU in QRO 

In this section we prove our main theorem. 

► Theorem 4. There exists a generic conversion that takes an quantum-safe eu-acma signa¬ 
ture scheme S = (G, S, V) and a family of quantum-safe collision-resistant chameleon hash 
functions TL and produces a quantum-safe su-acma signature scheme S' = (G", S', V') in the 
quantum random-oracle model. 
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3.1 The Transformation 

We first recall the TOO transformation m with a minor change. We use a generic chameleon 
hash function instead of an instantiation from the discrete log problem. 

H G'. On input a security parameter 1", do the following: 

- Run G, obtaining {pk,sk). 

_ Run HG obtaining a chameleon hash function h with trapdoor td. 

_ Set pk' = {pk, h) and sk' = {sk,td). 

H S'. On input of message M, do the following: 

_ Sample a random G from the range of h. 

= Sign G using the signing algorithm S, obtaining a = S{G, sk) 

- Compute m = 0{M\\a), where G is a hash function (to be replaced with a random 
oracle in the proof). 

_ Using the trapdoor information td, find an r such that h(m, r) = C. 

_ Output a' = (ct, r). 

H V. On input of a message M and a signature a' = (cr,r), do the following: 

- Compute m = 0{M\\a) and G = h{m,r). 

- Output ’Accept’ if and only if V{G,a,pk) = ’Accept’ (otherwise, output ’Reject’). 

The correctness of the algorithm can be seen easily. If a' was a signature generated on 
M using S', then G will be the same G generated during the running of S', and is precisely 
what (T is a signature for. 

3.2 Main Technical Lemma: Adaptively Programming a Quantum RO 

To prove the main theorem, we demonstrate a new scenario where we can adaptively program 
a quantum random-oracle. This extends existing works (e.g [3211331151] 1 from information- 
theoretical setting to a computational setting, and we believe it is potentially useful else¬ 
where. We will formalize a probabilistic game which we call witness-search. It potentially 
captures the essence of numerous security definitions for cryptographic schemes (e.g. sig¬ 
natures). Then we show that the (computational) hardness of witness-search allows for 
adaptively programming a quantum random-oracle. 

Let Samp be an instance-sampling algorithm. On input 1", Samp generates public infor¬ 
mation pk, description of a predicate P, and a witness w satisfying P{pk,w) = 1. Define a 
witness-search game WS as below. 

Witness-Search Game WS 

1. Challenger C generates (pk,w,P) •<— Samp(l"). Ignore ui. Let Wpk '■= {ui : P{pk,w) = 

1} be the collection of valid witnesses. 

2. A receives pk and produces a string w as output. 

3. We say A wins the game ii w £ Wpk- 


We say WS(Samp) is hard, if for any poly-time A, Pr[A wins] < negl(n). For instance. 
Samp could be the KeyGen algorithm of a signature scheme, pk consists of the public key 
and description of the signature scheme. Predicate P is the verification algorithm and a 
witness consists of a valid message-signature pair. Security of the signature scheme implies 
hardness of WS(Samp). 

► Lemma 5 (Hardness of Witness-Search to Programming QRO). Let two experiments E and 
E' be as below. // WS is hard, then ADV := |Pr£;[6 = 1] — = 1]| Si riegl(n). 
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Note that E' differs from E only in that we reprogram the random oracle at some point 
in E'. We defer the proof of this lemma to Appendix ??. 


Experiment E 

1. Generate {pk,w,P) Samp(l’*). 

2. O is drawn uniformly at random from the collection of all functions E. 

3. Ai receives pk as input and makes at most qi queries to O. Ai produces a classical 
string X. 

4. Set 2 ;= 0{x\\w). 

5. A2 gets (x,w,z) and may access the final state of Ai- A2 makes at most §2 queries 
to O. It outputs b G {0,1} at the end. 


Experiment E' 

1. Generate {pk,w,P) Samp(l"). 

2. O E is drawn uniformly at random from the collection of all functions E. 

3. Ai makes at most gi queries to O. It produces a classical string x. 

4. Pick a random 2 : Gh Range(C)). Reprogram O to O': O'ijj) = 0(y) except that 
0'{x\\w) = z. 

5. A 2 gets {x,w,z) and may access the final state of Ai. A 2 makes at most q 2 queries 
to O'. It outputs b G {0,1} at the end. 


To prove Lemmawe need another lemma below to pave the road. Roughly we want to 
argue that if witness-search is hard, then given an oracle which is either the all-zero function 
or a function that marks the witness set Wpk, no efficient algorithms can distinguish them. 
This may be intuitively interpreted as a computational analogue of Grover search lower 
bound. Its proof can be found in Appendix [B| 

► Lemma 6. Let f be the all-zero function, and fs be the characteristic function of a set 
S. Namely fsix) = 1 ijf. x G S. Define two experiments G and G' as below. //WS(Samp) 
is hard, then for any efficient A making q < poly{n) queries, |Pr( 3 [& = 1] — PrG'[6 = 1]| < 
negl(n). 


Experiment G 

1. Generate (pk,w,P) Samp(l"). 

2. A is given pk and (quantum) access to /. A makes at most q queries to / and 
afterwards w is given to A. It outputs b G {0,1} and aborts. 


Experiment G' 

1 . Generate {pk,w,P) <— Samp(l"'). Let fpk := fw^k^ where Wpk = {w : P{w) = 1}. 
(i.e., fpk{x) = 1 iff. ® G Wpk) 

2. A is given pk and (quantum) access to fpk- A makes at most q queries to fpk and 
afterwards w is given to A. It output b G {0,1} and aborts. 


Proof of Lemma El We use a hybrid argument to prove the theorem. Define Ei,i = 1,..., 4 
as follows. 
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H El := E. {Ai IA 2 in short.) 

H E 2 '. identical to Ei except that in step 3, O is replaced by O where 0{y) = 0(y) but 

0 {y) = 0 for any y = -Hw where w € Wpk- {Ai /A 2 ) 

H E^-. identical to E 2 except that after step 3, we use O' as defined in E' instead of O. 

Observe that E 3 can also be obtained from E' by substitute O for O in step 3. {Af /A 2 ) 
_ E^ := E'. {A^/A^') 

Define ADVi := |Pr£;J 6 = 1] — Pi'Ei+ilb = 1]|- We will show that ADVi and ADV3 are 
both negligible using Lemma ADV2 = 0 since in both E 2 and E 3 , the function values 
for Wpk are assigned uniformly at random and independent of anything else. Therefore we 
conclude that ADV = |Pr £:[6 = 1] — P^E'lb = 1]| < X) ADVi = negl(n). 

We are only left to prove that ADVi < riegl(?T,), and ADV3 < negl(n) follows by similar 
argument. Suppose for contradiction that there exist (^ 1 ,^ 2 ) such that ADVi > ^/p{n) 
for some polynomial p{-). We show that this will lead to a contradiction to Lemmathat 
|Pr( 3[6 = 1] — Pr( 3/[6 = 1]| < negl(n), which in turn contradicts the hardness of witness- 
search. To see this, we construct an algorithm D from (^ 1 ,^ 2 ) that runs in G and G' such 
that I Prg)^ = 1 : D]— PTci[b = 1 : D]| > l/p(n). Let F be an oracle which ignores the first 
part of the input and then applies either all-zero function / or fpk (as defined in G') on the 
second part. Let g be a random function. Define another oracle H := goF that implements 
the following transformation: 

\x,y) i-^\x,y) 0 | 0 ) append an auxiliary register 

i-^\x,y) (g) |A(a:)) compute the negation of F on aux. 

^\x, y © F{x) ■ g{x)) ® |T'(a:)) controlled-g 

I —y © F{x) ■ g{x)) uncompute negation of F and disgard aux. 

Observe that if F is induced from / then E[ is identical to a random function O. Whereas if 
F comes from fpk then FI is identical to O as in E 2 . For an algorithm that queries at most 
q times to H, we can sample h from a family of 2g-wise independent functions and simulate 
H efficiently (with access to F) without any noticeable difference. 

Construction of D 

1. D receives pk and an oracle F (one of the two candidates above). 

2. D simulates oracle H = g o F as defined above. D then simulates Ai, for each of 
query from Ai, it is answered by H with (two) oracle calls to F. Let x be the output 
of Ai- 

3. D receives w (from external challenger). It then simulates A 2 on input {x,w,z : = 
H{x\\w)) and oracle queries are answered by h. 

4. D outputs the output of A 2 . 

It is easy to see that if F is induced from /, the view of Ai and A 2 is identical to that of 
El. Likewise if F is induced by fpk then it is the same view as in E 2 . Therefore | PrG [6 = 
1 :D]- PTG>[b = 1 : D]| = I Pr^J^ = 1 : (Ai, A 2 )] - PrE^b = 1 : (Ai,^ 2 )]! > l/p{n). This 
gives a contradiction. 

•4 


3.3 Proof of Theorem [4] 

Brief Review of Classical Proof. Classical proof roughly goes as follows: consider a forger 
A. If is the forgery that A eventually submits, we will let G* = h{0{M*\\a*),r*). 
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Similarly, for a signing query made by the forger Mi, we let Ci = h{0{Mi\\ai),ri). 

We then analyze two separate cases. First the instance where C* yf Ci for all i. In this 
case we show that this gives a break to the existential unforgeability of the signature scheme 
S, by way of (C*,cr*). Next, we examine the case where C* = Ci for some i. In this case 
we show that {0{M*\\a*),r*) and {0{Mi\\ai),ri) provide a break to the collision resistance 
of the chameleon hash function. 

For completeness the full classical proof is included in Appendix]^ It is adapted from [3^ 
and we use a generic chameleon hash function instead of a concrete instantiation from the 
discrete logarithm problem. There are also changes which by our opinion make the proof 
easier to understand. 

Proof in the quantum random-oracle model. Let A be the forger making at most q 
queries, and let e be the probability that A succeeds in her forgery. We construct B that 
either breaks existential unforgeablity of S or can find collisions in T-L. 

H Case 1: We define this case as occurring when C* yf Ci for all i. 

Firstly, B will be acting as a quantum random oracle for C. To do this, B simply chooses 
a 2q-wise independent hash function, O, and for any query A makes, Tiax,z\x, z), B 
responds with Yiax,z\x, 0{x) 0 z). 


Construction of Existential Forger B 

1. B receives a public key pk from the challenger C 

2. B simulates a variant of the strongly-unforgeable game with A'. 

i) B generates {h,td) •<— HG{1"). Initiate A with pk' = [pk,h) 

ii) B simulates a random-oracle using a 2q'-wise independent hash function. 

iii) On the ith signing query Mi from A, B chooses a random Ci. It then signs Ci 
by submitting it to C, obtaining ai. It computes rrii = 0{Mi\\<Ji), and using 
the trapdoor information td, finds an Vi such that h(mi,ri) = Ci. It sends 
cr' = (cTi, n) to A. 

3. Let (M*, {a*,r*)) be the final forgery produced by A. Output (C*, cr*) as the forgery. 


From A’s point of view, a 2g-wise independent function is identical to a random func¬ 
tion m- Noting that C* yf Ci for all i, and the Q’s are precisely what was submitted to 
C for signing queries, and finally, seeing as this is a valid forgery, so V (C*, cr*) =' accept', 
we can see that B submits (C'*,cr*) as a valid new forgery, breaking the existential un¬ 
forgeability of E and winning his game with C. Thus in this case whenever A succeeds, 
so does B, and so the probability B succeeds given we are in this case is e. 

B Case 2: This case is defined as occurring when C* = Ci for some i. In this case we will 
show a reduction to break the collision resistance of the chameleon hash function. 

It is easy to see that B finds a valid collision as long as A produces a valid forgery, 
with overwhelming probability. This is because if C* = Ci, then h{0{M*\\a*),r*) = 
h{0{]VIi\\ai),ri). We simply need to ensure that this is not a trivial collision. Note that 
since this must be a new forgery, {M*,a*,r*) yf {Mi,ai,ri). If r* yf r^, we are done. 
Otherwise, we can see that M*||cr* yf Mi\\ai, and thus since the values for 0{]VIi\\ai) were 
chosen uniformly at random, 0{M*\\a*) yf 0{Mi\\ai) with overwhelming probability. 
Therefore if we let EVT be the event that A produces a valid forgery, we only need to 
show that EVT occurs with probability 0(e) in the construction of B. We prove it by 
a hybrid argument which transforms the standard strongly unforgeable game into the 
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Construction of Collision-Finding Adversary B 

1. B receives h from the challenger, which is sampled from the Chameleon hash function 
family. 

2. B, playing the role of a challenger, simulates a variant of the strongly-unforgeable 
game with A: 

i) B generates {pk, sk) •<— G(l"). Initialize A withpfc' = {pk, h). For i = {1, ..., q}, 
B generates rrii uniformly at random and •<— 7?. (according to the specification 
of h). B computes Ci ~ h(mi,ri) and Oi ;= S{sk,Ci). 

ii) B simulates a random-oracle in the usual way (i.e. t-wise independent hash 
function). 

iii) On the ith signing query Mi from A, B reprograms the random-oracle: 
0{Mi\\ai) •<— nii and returns {oi,ri) to A. 

3. Let (M*, {a*,r*)) be the final forgery produced by A. We know C* = Ci for some i. 
Output {0{M*\\a*),r*), {0{Mi\\ai),ri) as the collision. 


variant as in the construction of B. We will show that the probablity of EVT is esstially 
preserved in the hybrid argument. 

Let Hydg the standard strongly-unforgeable game with A. By hypothesis Pr[EVT : 
Hydg] > e. Consider the first hybrid Hydj^ that makes only one change to Hydg: when 
the challenger answers a signing query, instead of querying the random-oracle O to 
obtain rrii := 0{Mi\\ai), it samples a random rui and programs the random oracle so 
that 0{Mi\\a) = rrii. Note that in particular the challenger still uses the trapdoor to 
find Ti ^ h~^{Ci,mi). ByLemma]^ we claim thai0Pr[ EVT : Hydg]— Pr[EVT : Hydj^jj < 
negl(n). Specifically we instantiate Samp as follows, pk will consists of a public key for 
S, hash function h, and random messages Ci. P will be the verification algorithm of 
S. w := ai = S{sk,Ci) is the signature generated by B in 2.i), and Wpk consists of 
all strings that form a valid signature of Ci under S. WS(Samp) is hard because S is 
existential-unforgeable. 

Hyd2 is obtained by a small change in Hydj^. Instead of sampling a random Ci, it is 
obtained by computing h{mi,ri) from random {mi,ri). This change only causes (statis¬ 
tically) a negligible error. This is because if h ^ H and ^ 7?. then Ci := h{mi,ri) 
will be uniformly random by the uniformity property oiT-L. In addition the chameleon 
property of % tells us that ^ h~^{Ci, rrii) is distributed statistically close to sampling 
Ti TZ. Therefore the order of generating Ci and does not matter. 

Thus we see that B is able to break the collision-resistance property of the Chameleon 
hash function. 

In sum, we have shown that if there is an adversary A breaking S', then there is an 
adversary who manages to break either the collision resistance of the chameleon hash func¬ 
tion T-L, or the existential unforgeability of the original signature scheme S with probablity 
n(e). This contradicts the security of S and Ti. \i e > l/poly{n). Thus we conclude that 
Theorem |4] holds. 


2 


More precisely, we need to introduce sub-hybrids and each sub-hybrid makes such a change for just 
one signing query. 
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Discussion 

Obtaining a quantum-safe su-acma signature scheme. In [TD], the authors presented a 
scheme for generating chameleon hash functions, based off the short integer solution problem 
for lattices. They also demonstrate a reduction showing an efficient algorithm to break the 
collision resistance of the hash function implies an efficient algorithm to break the short 
integer solution problem for lattices. Using results from [2H] this reduction can be shown to 
carry through to the quantum setting. As this problem is currently believed to be hard even 
for quantum computers, these chameleon hash functions’ collision resistance remains even 
when faced with a quantum adversary. This chameleon hash function scheme can therefore 
be used in the transformation in this paper to get a quantum-secure transformation. This 
transformation, used with any quantum-safe eu-acma signature scheme will give a quantum- 
safe su-acma scheme in the quantum random-oracle model. 

When implementing the scheme with the chameleon hash function from m we can see 
what the overhead would be in an actual realization. Let n > l,q >2, and m = 0(nlogq). 
Let k be the output length of the hash function. Then the public key, pk' will now carry 
with it a matrix, so \pk'\ = \pk\ +n{k + m). The secret key now includes a specialized 

lattice basis, which can be written as an m x m matrix over Zg, giving us |sA;'| = |sfc| -I- w?. 
Finally, the signature overhead is the inclusion of a vector in Z™, so \a'\ = \a\ + m. 

A signature scheme based off the Short Integer Solution problem for lattices is also 
presented in m- Examining the proof presented there with tools from |28j . we can see 
that this signature scheme is quantum-safe eu-acma. Applying this transformation to this 
scheme, we obtain a quantum-safe su-acma signature scheme. In fact, we can show that 
the reduction shown in m is not as tight as it could be, and for a message of length k 
and at most Q queries, we can show that for adversary and reduction S, we have that 
ADV sis{S^) > ADV /{Q{k —log Q)). This is a small improvement over the result 
of the paper, showing that ADVs/s(5'^) > ADY{IPYg/{Q{k — 1) -|- 1) 

Future directions. Our work has studied a very specific transformation that gives a 
systematic way of getting quantum-safe su-acma signatures. There are a few more transfor¬ 
mations in the plain model (i.e. without a random-oracle) [531 UHl IISI HZ] • We conjecture 
that they also hold against quantum adversaries. If this is the case, it will be meaningful 
to evaluate all these transformations and figure out which one is preferable under specific 
applications. On the other hand, we chose the Bonsai-tree signature scheme m to in¬ 
stantiate the TOO transformation. There are many recent improvements on lattice-based 
signatures in terms of key size and computational efficiency EHMm, which are shown 
to be eu-acma classically. If they can be shown to be quantum-safe, they we can get more 
efficient quantum-safe su-acma schemes in the quantum random-oracle model. 
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A 


Classical Proof 


Let A be the forger, B the reduction, and C be the challenger. In each case, B and A will 
be playing a game of strong unforgeability. Let the probability that A succeeds be e. In 
Case 1, C and B will play a game of existential unforgeability on the signature scheme a. In 
case 2, C and B will play a game of collision resistance on the chameleon hash function h. 
We show that if the probability A succeeds in her forgery is e, then the probability that B 
succeeds is > — negl(n). At the beginning of the reduction, B will flip a coin, and guess 

which case the adversary’s forgery will fall under. Clearly, B will be correct with probability 

1 

2 ■ 

In our reduction, let the forgery that A eventually submits be = {a*,r*)) Let 

C* = h{0{M*\\a*),r*). Similarly, for each Mi the forger submits to the signing oracle for 
signing, there is an associated cr' and Ci. 
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H Case 1 : C* ^ Ci for all i. We show that whenever the forger succeeds in creating a valid 
forgery of this type, the reduction succeeds in breaking the existential unforgeability of 
the original scheme S = (G, S', C). 

C and B will be playing a game of existential unforgeability, while B and A will be playing 
a game of strong unforgeability. We will show that whenever A wins her game, B wins 
his (so long as the forgery is of the type described above). 

The games will play out as follows: 

Firstly, B will act as the random oracle for A. In the first case at least (and this will 
change only slightly case to case), he can do this in the following way. Whenever A 
queries the random oracle with a query, B looks up in a maintained table if that query 
has been made before. If it has, he responds with the value he responded with before. 
If it has not, he generates a random number and responds with that. 

Now we discuss how the game of strong unforgeability transpires. 

C sends B a public key pk from the S scheme. B will generate a chameleon hash function 
h, (with corresponding trapdoor td) and send the public key and hash function to A as 
pk' = {pk, h). 

A will start submitting messages Mi to B for signing. For each query, B does the 
following: 


- Choose a random rhi and fi and compute Ci = H{mi,fi) 

_ Sign Ci by submitting it to C as a signing query, obtaining 
_ Query Mi\\(7i to the random oracle, obtaining = 0{Mi\\ai) 

_ Using the trapdoor information td, find an such that h{mi,ri) = Ct. 

- a'i = {<7i,ri) 

- Send a'i to A 

Eventually, A will submit a valid forgery M*, a'* = (cr*, r*). 

Then, B takes these, and computes C* = h{0{M*\\a*),r*). 

Noting that C* yf Ci for all i, and the Cds are precisely what was submitted to C for sign¬ 
ing queries, and finally, seeing as this is a valid forgery, so V(C*,a*) — accept', we can 
see that B submits C* , cr* as a valid new forgery, breaking the existential unforgeability 
of E and winning his game with C. 

Thus in this case whenever A succeeds, so does B, and so the probability B succeeds 
given we are in this case is e. 

H Case 2: This case is defined as occurring when C* = Ci for some i. In this case we will 
show a reduction to break the collision resistance of the chameleon hash function. 

To start with, C sends B the description of a chameleon hash function h, which B will 
find a collision for. 

B then runs the key generation algorithm of the signature scheme S, obtaining {pk, sk). 
He then sends pk' = {pk, h) to A. 

For each signing query Mi that A sends to B, B does the following: 

_ Choose a random rrii and and compute G = h{mi,ri) 

_ Sign Ci using the signing algorithm S, obtaining cr = S{C, sk) 

_ Reprogram the random oracle so that 0{Mi\\ai) = rrii. 

- a'i = {ai,ri) 

- Send cr' to A. 
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Note that we have now permitted B to reprogram the random oracle for the purposes of 
this proof. Thus it is necessary to show that A will still output a valid forgery. 

When A eventually submits her forgery, {M*,a*), we can see that C* = Ci for some 
i. This implies that h{0{Mi\\i7i),ri) = h{0{M*\\a*)^r*) for that i. This shows us a 
collision for the chameleon hash function h, which is what B is looking for. But we must 
take care to ensure that it isn’t a trivial collision. 

Note that {Mi,ai,ri) yf {M*,a*,r*), simply because both the message and signature of 
the forgery can’t be the same as that of one of the M^’s. So at least one of these values 
is different. 

If Ti yf r*, we are done. Otherwise, it must be the case that M*\\a* yf Mi\\ai. In 
this case, since the values for the random oracle are chosen uniformly at random, with 
overwhelming probability, 0 {M*\\(7*) yf 0{Mi\\ai), giving B a collision for h. 

So in this case, B will succeed as long as A does up to a negligible probability by Lemma[^ 
So the probability B succeeds is > e — negl(n) 

► Lemma 7. For a forger A, let Bi and B 2 be as below, and have them play a game of 
strong unforgeability with A. Then 

iPfSiiA wins) — Prts^iA < negl(n), 

as long as the underlying signature scheme is existentially unforgeable. 

Bi is defined to operate exactly as the transformation dictates. B 2 will operate as B was 
defined to in Case 2 above. 

Proof. Say the difference in probability that A wins was not negligible. As the distribution 
of all values is the same, the only difference from A’s perspective was that the value of 
0 {Mi\\ai) was changed for each i. 

But clearly the only way to have the information that they changed is if A had already 
queried 0{Mi\\ai). But if A does this with non-negligible probability, then we could con¬ 
struct a reduction to break the existential forgeability of the signature scheme by playing 
strong unforgeability with A, and before submitting each Ci to the signing oracle, checking 
to see if A had queried Mi\\(Ji to the random oracle. With non-negligible probability, the 
reduction finds a ai that is a valid forgery. So he submits this along with Ci and has broken 
the existential unforgeability of the scheme. ◄ 

Therefore in both cases, as long as B successfully guesses which case the forgery will 
fall under, he manages to successfully break either the collision resistance of the chameleon 
hash function h, or the existential unforgeability of the original signature scheme S. Since B 
correctly guesses what case he is in half of the time, his probability of success is > negl(n). 

I B I Proof of Lemma 

Proof. Let A be an arbitrary algorithm running in C (or C). Consider another algorithm 
B that runs in an experiment EXT as follows: 

Let pb ■= TvextIz € Wpk] be the probability that the output of if is a valid witness. 
Let e := |PrG'[6 = 1] — = 1]I- both experiment C and G", pk is selected at random 

according to Samp. Let Ppk be the probability that pk is outputted. Then 


TQC’15 




16 


EU to SU in QRO 


Extraction Experiment EXT 

1. Generate {pk,w,P) Samp(l’^). Ignore w. 

2. B receives pk and picks j {1,..., g} at random. 

3. B simulates A on pk and (quantum) access to /. Just before A making the jih query 
to /, B measures the register that contains ^’s query. Let 2 be the measurement 
outcome. 


Pr[&=l]-Pr[6=l] 


■ Ppk-Yl 

pk pk 


pk 


Let Cpfc := |PrG[^ = Mpk] — PrG'[^ = Let \(j)i) be the superposition of on input 

pk when the i’th query is made. Then let qy(l<^i}) be the sum of squared magnitudes in A 
querying the oracle on the string y. 

Let 5 = [g] X Wpk- Let 5pk = y)GSemploy a theorem by Bennet et 
al. [3], that states that < \/q ■ ^pk- (Here is defined in the same way 

as but with G' rather than G). 

The same paper [3] also bounds the probability of being able to distinguish the two states, 
which corresponds to our probability of distinguishing the two experiments, epk, telling us 


that 


Cpfc < 4 • - \^f) < 


^pk • 


Now note that (that is, the probability that EXT outputs a valid witness given pk 
is chosen) can be written as 


Pit = chosen] • ^ <?y(l0f)) 


*£[0.9] 




=( H E imA)) 

*£[ 0 , 9 ] U,y)<^s-.j=i 

E = 

^ (i,y)es ^ 


So we can see that epk < Mxj P^ ■ Then 


e = X! < 4g ^ Ppk \l P^ < Aq jy^ PpkPg^ = ^\/Pb , 

pk pk y pk 


where (*) applies Jensen’s inequality. Finally, notice that B can be viewed as an adversary 
in the witness-search game WS(Samp). Therefore, we conclude that pB < negl(n) by the 
hypothesis that WS(Samp) is hard and hence |PrG[^ = 1] ~ P^G'[b = 1]| < negl(n). ◄ 
















